Adding service-specific guidance

Author: tatyatsk

README.md

@@ -160,7 +160,7 @@ Example data access patterns:
 * [Amazon WorkSpaces image](https://docs.aws.amazon.com/workspaces/latest/adminguide/share-custom-image.html): You can share custom WorkSpaces images with other accounts with the `UpdateWorkspaceImagePermission` API.
 * [Amazon CloudWatch sink](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html): You can share observability data with other accounts with the `CreateLink` API.
 * [AWS Service Catalog portfolio](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_sharing.html): AWS Service Catalog portfolios can be shared with other AWS accounts with the `CreatePortfolioShare` API.
-* [AWS Config aggregator](https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html): The `PutConfigurationAggregator` API allows you to select another account to add to your AWS Config aggregator.
+* [AWS Config aggregator](https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html): The `PutConfigurationAggregator` API allows you to select another account to add to your AWS Config aggregator. Additionally, the `PutAggregationAuthorization` API allows you to authorize another account to collect data from your account.
 * [AWS Fault Injection experiment template](https://docs.aws.amazon.com/fis/latest/userguide/multi-account.html): You create a multi-account experiment template by specifying other accounts with the `CreateTargetAccountConfiguration` API. 
 * [AWS Global Accelerator attachment](https://docs.aws.amazon.com/global-accelerator/latest/dg/cross-account-resources.create-attachment.html): You can add a resource from another account as an endpoint for an accelerator with the `CreateCrossAccountAttachment` API.
 * [AWS Cloud9 shared environment](https://docs.aws.amazon.com/cloud9/latest/user-guide/share-environment.html): You can share AWS Cloud9 development environment with users from other accounts with the `CreateEnvironmentMembership` API.
@@ -169,7 +169,7 @@ Example data access patterns:
 
 ### "Sid":"ProtectActionsNotSupportedByPrimaryDPControls"
 
-This statement is included in [data_perimeter_governance_scp](data_perimeter_governance_scp.json) and restricts actions that are not supported by primary data perimeter controls, such as those listed in the[ResourceOrgID condition key page](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceorgid). 
+This statement is included in [data_perimeter_governance_scp](data_perimeter_governance_scp.json) and restricts actions that are not supported by primary data perimeter controls, such as those listed in the [ResourceOrgID condition key page](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceorgid). 
 
 Example data access patterns:
 
@@ -191,16 +191,6 @@ You can also consider using service-specific condition keys such as `ec2:Accepte
 
 This statement is included in the [data_perimeter_governance_scp](data_perimeter_governance_scp.json) and prevents the attaching, detaching, and modifying of tags used for authorization controls within the data perimeter.
 
-### "Sid":"PreventS3PublicAccessBlockConfigurations"
-
-This statement is included in the [data_perimeter_governance_scp](data_perimeter_governance_scp.json) and prevents users from altering S3 Block Public Access configurations.
-
-[S3 Block Public Access](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html) provides settings for access points, buckets, and accounts to help you manage public access to Amazon S3 resources. With S3 Block Public Access, account administrators and bucket owners can set up centralized controls to limit public access to their Amazon S3 resources that are enforced, regardless of how the resources are created. 
-
-### "Sid":"PreventPublicBucketACL"
-
-This statement is included in the [data_perimeter_governance_scp](data_perimeter_governance_scp.json) and prevents users from applying public read and public read-write canned access control lists to Amazon S3 buckets.
-
 ### "Sid":"PreventLambdaFunctionURLAuthNone"
 
 This statement is included in the [data_perimeter_governance_scp](data_perimeter_governance_scp.json) and denies the creation of Lambda functions that have `lambda:FunctionUrlAuthType` set to `NONE`.

data_perimeter_implementation_journey.png

@@ -51,6 +51,7 @@
             "oam:CreateLink",
             "servicecatalog:CreatePortfolioShare",
             "config:PutConfigurationAggregator",
+            "config:PutAggregationAuthorization",
             "fis:CreateTargetAccountConfiguration",
             "globalaccelerator:CreateCrossAccountAttachment",
             "cloud9:CreateEnvironmentMembership",
@@ -100,37 +101,6 @@
          }
       },
       {
-         "Sid": "PreventPublicBucketACL",
-         "Effect": "Deny",
-         "Action": [
-            "s3:PutBucketAcl",
-            "s3:CreateBucket"
-         ],
-         "Resource": "*",
-         "Condition": {
-            "StringEquals": {
-               "s3:x-amz-acl": [
-                  "public-read",
-                  "public-read-write"
-               ]
-            },
-            "StringNotEqualsIfExists": {
-               "aws:PrincipalTag/dp:exclude:identity": "true"
-            }
-         }
-      },
-      {
-         "Sid": "PreventS3PublicAccessBlockConfigurations",
-         "Effect": "Deny",
-         "Action": "s3:PutAccountPublicAccessBlock",
-         "Resource": "*",
-         "Condition": {
-            "StringNotEqualsIfExists": {
-               "aws:PrincipalTag/dp:exclude:identity": "true"
-            }
-         }
-      },
-            {
          "Sid":"PreventLambdaFunctionURLAuthNone",
          "Effect":"Deny",
          "Action":[

service_control_policies/README.md

@@ -12,7 +12,9 @@ Use the following example SCPs individually or in combination:
 * [network_perimeter_iam_users_scp](/service_control_policies/service_specific_controls/network_perimeter_iam_users_scp.json) - Enforces network perimeter controls on IAM users with long-term access keys.
 * [network_perimeter_lambda_scp](/service_control_policies/service_specific_controls/network_perimeter_lambda_scp.json) - Enforces network perimeter controls on service roles used by AWS Lambda.
 * [restrict_nonvpc_deployment_scp](/service_control_policies/service_specific_controls/restrict_nonvpc_deployment_scp.json) - Enforces deployment of resources in a customer managed Amazon VPC.
-* [restrict_idp_configurations_scp](/service_control_policies/service_specific_controls/restrict_idp_configurations_scp.json) - Restricts ability to make configuration changes to the IAM SAML identity providers.
+* [restrict_idp_configurations_scp](/service_control_policies/service_specific_controls/restrict_idp_configurations_scp.json) - Restricts the ability to make configuration changes to the IAM SAML identity providers.
+* [restrict_untrusted_endpoints_scp](/service_control_policies/service_specific_controls/restrict_untrusted_endpoints_scp.json) - Prevent untrusted non-AWS resources from being configured as targets for service operations.
+* [restrict_presignedURL_scp](service_control_policies/service_specific_controls/restrict_presignedURL_scp.json) - Restricts the ability to create Amazon S3 presigned URLs within specific services.
 
 Note that the SCP examples in this repository use a [deny list strategy](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_strategies.html), which means that you also need a FullAWSAccess policy or other policy attached to your AWS Organizations organization entities to allow actions. You still also need to grant appropriate permissions to your principals by using identity-based or resource-based policies.
 
@@ -91,3 +93,10 @@ For more details, see the definition of the parameter [`AppNetworkAccessType`](h
 This statement is included in the [restrict_nonvpc_deployment_scp](restrict_nonvpc_deployment_scp.json) and prevents users from creating [Amazon SageMaker Notebooks Instances](https://docs.aws.amazon.com/sagemaker/latest/dg/nbi.html) that can access the internet through a VPC managed by SageMaker.        
 For more details, see [Connect a Notebook Instance in a VPC to External Resources](https://docs.aws.amazon.com/sagemaker/latest/dg/appendix-notebook-and-internet-access.html) in the Amazon SageMaker documentation.
 
+### "Sid": "PreventUntrustedSNSEmailSubscriptions"
+
+This statement is included in the [restrict_sns_subscription_scp](/service_control_policies/service_specific_controls/restrict_sns_subscription_scp.json) and prevents users from subscribing email addresses that belong to domains other than the one denoted by <trusted_email_domain> to an SNS topic. See [Amazon SNS policy keys](https://docs.aws.amazon.com/sns/latest/dg/sns-using-identity-based-policies.html#sns-policy-keys) for more details.
+
+### "Sid": "PreventCreationOfServicePresignedURL"
+
+This statement is included in the [restrict_presignedURL_scp](service_control_policies/service_specific_controls/restrict_presignedURL_scp.json) and prevents users from creating Amazon S3 presigned URLs within specific services.

service_control_policies/data_perimeter_governance_scp.json

@@ -0,0 +1,18 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "PreventCreationOfServicePresignedURL",
+      "Effect": "Deny",
+      "Action": [
+        "lambda:GetFunction"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringNotEqualsIfExists": {
+          "aws:PrincipalTag/dp:exclude:network": "true"
+        }
+      }
+    }
+  ]
+}

service_control_policies/service_specific_controls/README.md

@@ -0,0 +1,24 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "PreventUntrustedSNSEmailSubscriptions",
+      "Effect": "Deny",
+      "Action": [
+        "sns:Subscribe"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringEquals": {
+          "sns:Protocol": "email"
+        },
+        "StringNotLike": {
+          "sns:Endpoint": "*@<trusted_email_domain>"
+        },
+        "StringNotEqualsIfExists": {
+          "aws:PrincipalTag/dp:exclude:resource": "true"
+        }
+      }
+    }
+  ]
+}

service_control_policies/service_specific_controls/restrict_presignedURL_scp.json

@@ -41,6 +41,7 @@ The following table contains service-owned resources that AWS services use to pe
 | Amazon S3 bucket | AWS Elastic Disaster Recovery | `arn:aws:s3:::aws-drs-clients-<region>/*`<br /><br />`arn:aws:s3:::aws-drs-clients-hashes-<region>/*`<br /><br />`arn:aws:s3:::aws-drs-internal-<region>/*`<br /><br />`arn:aws:s3:::aws-drs-internal-hashes-<region>/*`<br /><br />`arn:aws:s3:::aws-elastic-disaster-recovery-<region>/*`<br /><br />`arn:aws:s3:::aws-elastic-disaster-recovery-hashes-<region>/*` | Elastic Disaster Recovery uses service-owned S3 buckets to store and access managed resources used to perform its operations. The [AWS Replication Agent installer](https://docs.aws.amazon.com/drs/latest/userguide/agent-installation.html) uses a presigned URL, which is signed by the service account, to make requests to various service-owned S3 buckets, which originate from your VPC. See [Elastic Disaster Recovery network requirements](https://docs.aws.amazon.com/drs/latest/userguide/Network-Requirements.html) for more details. | [s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json) |
 | Amazon S3 bucket | AWS Certificate Manager (ACM) | `arn:aws:s3:::aws-ec2-enclave-certificate-<region>-prod/*` | ACM for AWS Nitro Enclaves uses an service-owned S3 bucket to distribute a certificate to an EC2-hosted web server. See [AWS Certificate Manager for Nitro Enclaves](https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-refapp.html#role-cert) for more details. | [s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json) |
 | Amazon S3 bucket | AWS CodeArtifact | `arn:aws:s3:::assets-<CodeArtifact-Region-Account>-<region>/*` | CodeArtifact uses service-owned S3 buckets to host the artifacts and redirects HTTP requests for an artifact repository URL to a presigned URL backed by one of service-owned buckets. See [Minimum Amazon S3 bucket permissions for AWS CodeArtifact](https://docs.aws.amazon.com/codeartifact/latest/ug/create-s3-gateway-endpoint.html#s3-gateway-endpoint-permissions) for more details| [s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json) |
+| Amazon S3 bucket | AWS Lambda | `arn:aws:s3:::prod-04-2014-tasks/*`<br /><br />`arn:aws:s3:::awslambda-<region>-tasks/*` | AWS Lambda stores function deployment packages in service-owned S3 buckets. Lambda uses its service principal to create a presigned S3 URL, which can be used to download these packages. See [GetFunction](https://docs.aws.amazon.com/cli/latest/reference/lambda/get-function.html) for more details.| [s3_endpoint_policy.json](vpc_endpoint_policies/s3_endpoint_policy.json)*|
 | AWS CloudFormation transform	| AWS CloudFormation | `arn:aws:cloudformation:*:aws:transform/*`	| You can use [AWS CloudFormation transforms](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/transform-reference.html) to process templates through a special macro that can modify or extend the functionality of a CloudFormation template before it is deployed. CloudFormation uses its service role or FAS to make requests to the transforms. See [Control CloudFormation access with AWS Identity and Access Management](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/control-access-with-iam.html) for more details. | [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)<br /><br />[cloudformation_endpoint_policy.json](vpc_endpoint_policies/cloudformation_endpoint_policy.json)* | 
 | AWS IAM policy | Multiple  | `arn:aws:iam::aws:policy/*` | You can use [AWS Identity and Access Management (IAM)](https://aws.amazon.com/iam/) [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) to assign appropriate permissions to users, IAM groups, and roles. See [What are AWS managed policies?](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) for more details. | [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)<br /><br />[iam_endpoint_policy](vpc_endpoint_policies/iam_endpoint_policy.json)* |
 | AWS Lambda layer	| Multiple	| `arn:aws:lambda:*:<service-account-id>:layer:*`	| Services such as Amazon CloudWatch and AWS AppConfig maintain AWS Lambda extensions owned by Amazon that you can add as layers to you functions. For example, [CloudWatch Lambda Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights.html) and [AWS AppConfig Agent Lambda extension](https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-integration-lambda-extensions.html).See [Available versions of the Lambda Insights extension](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-extension-versions.html) and [Understanding available versions of the AWS AppConfig Agent Lambda extension](https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-integration-lambda-extensions-versions.html) for more details. Note that `<service-account-id>` can vary by AWS Region, and you might need to allow multiple account IDs if you are operating in multiple Regions. | [resource_perimeter_scp.json](service_control_policies/resource_perimeter_scp.json)<br /><br />[lambda_endpoint_policy](vpc_endpoint_policies/lambda_endpoint_policy.json)* |

service_control_policies/service_specific_controls/restrict_untrusted_endpoints_scp.json

@@ -0,0 +1,18 @@
+# Service-specific guidance
+
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
+
+## Description
+
+This folder contains service-specific documents with additional considerations that you might want to review and consider when implementing a data perimeter for a service. Each service-specific document contains a list of service APIs reviewed against data perimeter control objectives to assess whether additional considerations apply to a service within the scope of current analysis.
+
+For each consideration, we provide prescriptive guidance about controls you might want to implement in addition to the [general data perimeter guidance and default policies](../#General-data-perimeter-guidance). 
+
+The following are the types of additional controls that you might want to consider:
+* **Preventative controls**: Security controls designed to prevent actions that lead to deviations from your data perimeter baseline. These controls are implemented by using [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) or [resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html).
+* **Proactive controls**: Security controls designed to prevent resource configurations that lead to deviations from your data perimeter baseline. These controls are implemented through automated checks within deployment pipelines, such as those supported with [AWS CloudFormation Hooks](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/what-is-cloudformation-hooks.html). Though we primarily use CloudFormation hooks in the prescriptive guidance, you can implement policy-as-code checks by using your preferred infrastructure as code (IaC) tooling.
+* **Detective controls**: Security controls designed to detect actions or resource configurations that lead to deviations from your data perimeter baseline. These controls can be implemented by using [AWS CloudTrail](https://aws.amazon.com/cloudtrail/) ([management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-events.html#cloudtrail-management-events), [data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-events.html#cloudtrail-data-events), [network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-events.html#cloudtrail-network-events)), [AWS Config](https://aws.amazon.com/config/), and your preferred log analysis tools. If necessary, you can remediate detected deviations with the responsive controls of your choice.
+
+Based on your risk-mitigation strategy, determine which of these control types to apply for additional considerations outlined in each service-specific document. 
+
+When AWS services make calls to other services on your behalf, you might need to review service-specific guidance for all services in use to implement appropriate controls. For example, when using services that stores data using your Amazon S3 buckets, consider implementing data perimeter controls for Amazon S3 by consulting S3-specific guidance for comprehensive control coverage.